diff --git a/repos/INSIGHT-Infra/ansible/vault.yml b/repos/INSIGHT-Infra/ansible/vault.yml
new file mode 100644
index 0000000..74c204d
--- /dev/null
+++ b/repos/INSIGHT-Infra/ansible/vault.yml
@@ -0,0 +1,32 @@
+---
+# vault.yml — INSIGHT Secrets
+# Passwörter für PostgreSQL, PgBouncer und Redis
+# Dieses File liegt nur im lokalen Forgejo — niemals in öffentliche Repos!
+
+# PostgreSQL User
+postgresql_users:
+  - name: insight_app
+    password: "fnVQN*jjyY4F&#9yf*1LY116#bhCeplm"
+    role_attr_flags: "LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE"
+  - name: pgbouncer
+    password: "vaUIttUg!iR3buSMehN^S7GAH!m!xYq4"
+    role_attr_flags: "LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE"
+
+# PostgreSQL Grants
+postgresql_grants:
+  - db: insight_core
+    role: insight_app
+    privs: "ALL"
+  - db: insight_crm
+    role: insight_app
+    privs: "ALL"
+
+# PgBouncer Auth
+pgbouncer_users:
+  - name: insight_app
+    password: "fnVQN*jjyY4F&#9yf*1LY116#bhCeplm"
+  - name: pgbouncer
+    password: "vaUIttUg!iR3buSMehN^S7GAH!m!xYq4"
+
+# Redis
+redis_password: "gIIicbZ8T@8gfRVEmYzVEG2sGb24&Hy4"